Upcoming Events

Google today introduced a new tool for testing network traffic security called Nogotofail. The company has released it as an open source project available on GitHub, meaning anyone can use it, contribute new features, provide support for more platforms, and do anything else with the end goal of helping to improve the security of the Internet.

The tool’s main purpose is to test whether the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations (it includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and so on). Nogotofail works on Android, iOS, Linux, Windows, Chrome OS, OSX, and “in fact any device you use to connect to the Internet.”

Today’s move is a push to boost TLS/SSL usage by releasing the tool for public use. The company explains why this is necessary:

Google is committed to increasing the use of TLS/SSL in all applications and services. But “HTTPS everywhere” is not enough; it also needs to be used correctly. Most platforms and devices have secure defaults, but some applications and libraries override the defaults for the worse, and in some instances we’ve seen platforms make mistakes as well. As applications get more complex, connect to more services, and use more third party libraries, it becomes easier to introduce these types of mistakes.

Google says it has been using Nogotofail internally “for some time” and has worked with developers to improve the security of their apps. The company didn’t say whether it played a role in the discovery or diagnosis of the POODLE security flaw.

Nogotofail was built by the Android Security Team. As a result, it features a client to configure the settings and get notifications on Android as well as Linux. The attack engine itself can be deployed as a router, VPN server, or proxy.

The tool requires Python 2.7 and pyOpenSSL>=0.13. It features an on-path network MiTM, designed to work on Linux machines, as well and optional clients for the devices being tested.